Exclusive: Solving every day challenges for CISOs
James Thorpe
Share this content
If you ask CISOs what their biggest pressure points are, it’s likely that the answers will normally coalesce around two areas – demonstrating impact to the board and managing budgets effectively. However, today’s economy is anything but normal. Gartner estimates global IT spending may drop by 8% in 2020 due to the impact of COVID-19. The biggest drop is around devices, while spending on enterprise software will be less affected.
At the same time, cloud security spending is set to grow by 33% as companies manage their remote working initiatives. As a CISO, this represents an opportunity to consolidate your approach, ensure that you can deliver the best results for your company and ensure that security spending remains a priority for the organisation as a whole. At the same time, you can prevent potential risks around the changes in working practices that were rolled out in days compared to the usual months.
Simplifying security processes, data and workflows will be essential to this set of goals, but to demonstrate the value that these changes will make, you have to first define your business goals too and how security enables these. Linking the day-to-day tasks of keeping all that IT secure back to wider business risks is a great way to ensure that your changes lead to the right results at both micro and macro levels.
Consolidating your security – not either/or
Today’s security infrastructures will have built up over time, using a mix of different products and vendors to fill gaps and keep things running. However, this can create additional complexity for your teams and lead to wasted budget. Consolidating your security approach is something that can help over time. Regularly reviewing your vendor and product mix can provide opportunities to manage costs and improve efficiency around your team’s operations. For your strategic vendors, consider implementing quarterly reviews so you can track your results with them more closely.
Consolidation does not simply involve picking tools from your existing major partners to replace those niche, best of breed players. Vendors bringing new acquisitions to the table should have to demonstrate the work they have done to integrate their solutions together and provide more value, rather than simply providing multiple discrete tools with the same logo. Instead, integrations and value have to go hand in hand.
Looking at tool and vendor consolidation together can ensure that you can improve how efficiently you use your budgets. By looking at how well services are integrated and deliver results back to your team, you can see how well these actions translate into more efficiency for your team and for your budgets. Ultimately, the best approach here is how you can achieve more as a team based on consolidation, rather than leading with consolidation first.
Automating processes across teams for detection and response
For many enterprises, the work around security issues can be spread across multiple teams. From processing and managing potential vulnerabilities in one area, to prioritising fixes, to actually carrying those fixes out, can involve three different teams that may be outside the IT security department. While this might make sense in a traditional IT environment, it doesn’t in the new one that many companies find themselves supporting today.
Bringing together the detection and response phases can make the whole workflow easier and more effective. Rather than handling detection and response around specific areas like software vulnerabilities or endpoints separately, these tasks should be unified. Over time, these tasks should themselves be linked into wider processes so that potential risks can be evaluated, prioritised and managed more quickly. This not only makes the teams involved more efficient, it provides better insight into the overall risk that the business faces.
Automating these steps and workflows can help as well. Rather than relying on manual handoffs and your team performing to peak efficiency all the time in order to maintain security, automation should make those processes more reliable and more efficient. Automation should make your team more productive by recovering cycles and helping them do more with less. This does require a change in mindset, but it should also enable you to deliver more accurate and more impactful security over time.
Partnerships around data
A big change for CISOs is how to partner with vendors more effectively. With more use of cloud security and managed services to support operations, data becomes essential to judge how well your security operations are performing and how this affects your risk profile. For your strategic vendors, working with them around the data they provide can be mutually beneficial.
Running regular review sessions with your key vendors can provide you with essential insights into how your security operations are functioning, but they can also provide opportunities to look at how you will manage your operations in the future too. Having that set of vendors that are real partners – that you know you will work with over time, that you have the right personal fit with and that understand your plans around managing business risk – is one of the best ways to achieve the right results over time.
To get to this, you have to have the right relationships in place. Everyone will automatically say that they want to be long-term partners, but those companies that can really deliver the most value will look for opportunities to help you with their data first. Finding those business problems where data from security can help is the best way to get this started, if you have not got those partnerships in place already. By providing the context and how things change over time, you can demonstrate how your strategy delivers value to the board rather than looking at technicalities.
Building security into your wider value chain
For CISOs, security is supposed to be the goal. However, you will rarely be judged on how well security teams are performing on a day-to-day basis. So how can you demonstrate that value over time? By how well security is embedded in the wider business, allowing the business to achieve results. This is something that is easy to say, but difficult to achieve.
Areas like DevOps are good places to start, as many companies are still starting out around how they make use of agile application and software development processes. Security should be embedded in how these teams work from the start, so that all the elements in the software development life cycle have security in place. The alternative is the traditional security gatekeeper model, where you effectively block the company from getting new implementations and projects into production. Not only does this lead to more adversarial discussions, you are associated with the expense if anything bad is found. Getting a more collaborative model in place where problems are found and fixed within the process is more likely to be successful.
Looking at your company’s value chain can help – for example, where are the new development projects taking place and can you start conversations with those teams before new work gets started? Can you guide them around problems they can fix in advance of testing or QA? By helping them keep up their speed and efficiency, you can help the whole business to deliver and be innovative.
Success for CISOs
Coming after COVID forced more remote working and more digital initiatives, most companies are keen to keep ahead of their competitors. Using data to support partnership discussions with your key vendors, developing security’s place within the company’s value chain and focusing on how to demonstrate management of business risk to the business will all be essential goals for the future. By thinking ahead on how you make use of data, you can demonstrate your success over time.
By Benjamin Carr, CISO, Qualys
